Skip to content

refactor: implement measure #33

refactor: implement measure

refactor: implement measure #33

Workflow file for this run

name: CI
permissions:
contents: read
pull-requests: read
actions: read
env:
REPO: "sealio"
VERSION: "${{ github.ref_name }}"
BUILD_PLATFORMS: "linux/amd64,linux/arm64"
PARALLELIZE: "false"
GO_VERSION: "1.21.5"
defaults:
run:
shell: bash
on:
workflow_dispatch: { }
push:
tags:
- "v*.*.*"
branches:
- "main"
paths-ignore:
- "docs/**"
- "**.md"
- "**.mdx"
- "**.png"
- "**.jpg"
pull_request:
branches:
- "main"
paths-ignore:
- "docs/**"
- "**.md"
- "**.mdx"
- "**.png"
- "**.jpg"
jobs:
build:
timeout-minutes: 60
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v3
with:
# checkout the whole histories for commitsar,
# currently commitsar needs full git objects to work correctly.
fetch-depth: 0
persist-credentials: false
- name: Setup Go
timeout-minutes: 15
uses: actions/setup-go@v4
with:
go-version: "${{ env.GO_VERSION }}"
cache-dependency-path: |
**/go.sum
- name: Setup Toolbox
timeout-minutes: 5
uses: actions/cache@v3
with:
# restore/save service binaries, e.g. goimports, golangci-lint, commitsar.
key: toolbox-${{ runner.os }}
path: |
${{ github.workspace }}/.sbin
- name: Build
run: make ci
env:
LINT_DIRTY: "true"
PACKAGE_BUILD: "false"
- name: Archive Publish Result
uses: actions/cache/save@v3
with:
# save package resources, e.g. go build result, downloaded UI, entrypoint script.
key: archive-${{ runner.os }}-${{ github.sha }}
path: |
${{ github.workspace }}/.dist/package
publish:
needs:
- build
permissions:
contents: write
actions: read
id-token: write
timeout-minutes: 60
runs-on: ubuntu-22.04
strategy:
matrix:
include:
- target: hermitcrab
task: server
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 1
persist-credentials: false
- name: Setup QEMU
uses: docker/setup-qemu-action@v3
with:
image: tonistiigi/binfmt:qemu-v7.0.0
platforms: "arm64"
- name: Setup Buildx
uses: docker/setup-buildx-action@v3
- name: Login DockerHub
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@v3
with:
username: ${{ secrets.CI_DOCKERHUB_USERNAME }}
password: ${{ secrets.CI_DOCKERHUB_PASSWORD }}
- name: Unarchive Publish Result
timeout-minutes: 5
uses: actions/cache/restore@v3
with:
# restore package resources, e.g. go build result, downloaded UI, entrypoint script.
key: archive-${{ runner.os }}-${{ github.sha }}
path: |
${{ github.workspace }}/.dist/package
- name: Get Metadata
id: metadata
uses: docker/metadata-action@v5
with:
images: ${{ env.REPO }}/${{ matrix.target }}
- name: Package
uses: docker/build-push-action@v5
id: package
with:
push: ${{ github.event_name != 'pull_request' }}
file: .dist/package/${{ matrix.target }}/${{ matrix.task }}/image/Dockerfile
context: .dist/package/${{ matrix.target }}/${{ matrix.task }}/
platforms: ${{ env.BUILD_PLATFORMS }}
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
# configure build cache,
# ref to https://github.com/moby/buildkit/tree/v0.11.5#registry-push-image-and-cache-separately.
cache-from: |
type=registry,ref=${{ env.REPO }}/build-cache:${{ matrix.target }}-${{ matrix.task }}
cache-to: |
${{ github.event_name != 'pull_request' && format('type=registry,mode=max,oci-mediatypes=false,compression=gzip,ref={0}/build-cache:{1}-{2},ignore-error=true', env.REPO, matrix.target, matrix.task) || '' }}
- name: Setup Cosign
if: ${{ github.event_name != 'pull_request' }}
uses: sigstore/cosign-installer@v3.3.0
with:
cosign-release: v2.2.2
- name: Prove
if: ${{ github.event_name != 'pull_request' }}
run: |
set -euo pipefail
# login
cosign login "docker.io" -u "${DOCKERHUB_USERNAME}" -p "${DOCKERHUB_PASSWORD}"
# prove
curl -o slsa-generator --retry 3 --retry-all-errors --retry-delay 3 -sSfL \
"https://github.com/slsa-framework/slsa-github-generator/releases/download/${SLSA_GITHUB_GENERATOR_VERSION}/${SLSA_GITHUB_GENERATOR}"
chmod a+x slsa-generator
predicate_name="predicate.json"
./slsa-generator generate --predicate="${predicate_name}"
cosign attest --predicate="${predicate_name}" \
--type slsaprovenance \
--yes \
"${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}"
env:
COSIGN_EXPERIMENTAL: "1"
SLSA_GITHUB_GENERATOR: "slsa-generator-container-linux-amd64"
SLSA_GITHUB_GENERATOR_VERSION: "v1.5.0"
GITHUB_CONTEXT: "${{ toJSON(github) }}"
UNTRUSTED_IMAGE: "${{ env.REPO }}/${{ matrix.target }}"
UNTRUSTED_DIGEST: "${{ steps.package.outputs.digest }}"
DOCKERHUB_USERNAME: "${{ secrets.CI_DOCKERHUB_USERNAME }}"
DOCKERHUB_PASSWORD: "${{ secrets.CI_DOCKERHUB_PASSWORD }}"
continue-on-error: true